From 4c6d12640c75999cbd745456e983fc344d0296cf Mon Sep 17 00:00:00 2001
From: Jacek Caban <jacek@codeweavers.com>
Date: Wed, 6 Mar 2019 09:29:45 -0600
Subject: [PATCH] HACK secur32: Disable ECDHE-ECDSA ciphers on pre-TLS 1.3
 gnutls versions.

For Sword Art Online: Fatal Bullet, and others, on gnutls 3.5.
---
 dlls/secur32/schannel_gnutls.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/dlls/secur32/schannel_gnutls.c b/dlls/secur32/schannel_gnutls.c
index cb90d1c40d7..cbf8104a984 100644
--- a/dlls/secur32/schannel_gnutls.c
+++ b/dlls/secur32/schannel_gnutls.c
@@ -160,6 +160,7 @@ static const struct {
 };
 
 static DWORD supported_protocols;
+static char priority_quirks[128];
 
 static void check_supported_protocols(void)
 {
@@ -188,6 +189,17 @@ static void check_supported_protocols(void)
             TRACE("%s is not supported\n", protocol_priority_flags[i].gnutls_flag);
     }
 
+    /* ECDHE-ECDSA cause problems with gnutls 3.5 and Sword Art Online: Fatal Bullet */
+    /*if (!(supported_protocols & SP_PROT_TLS1_3_CLIENT)) previously restricted to older gnutls, but newer is affected, too */
+    {
+        err = pgnutls_priority_set_direct(session, "NORMAL:-ECDHE-ECDSA", NULL);
+        if (err == GNUTLS_E_SUCCESS)
+        {
+            TRACE("disabling ECDHE-ECDSA\n");
+            strcat(priority_quirks, ":-ECDHE-ECDSA");
+        }
+    }
+
     pgnutls_deinit(session);
 }
 
@@ -235,6 +247,8 @@ BOOL schan_imp_create_session(schan_imp_session *session, schan_credentials *cre
         p += strlen(p);
     }
 
+    strcat(priority, priority_quirks);
+
     TRACE("Using %s priority\n", debugstr_a(priority));
     err = pgnutls_priority_set_direct(*s, priority, NULL);
     if (err != GNUTLS_E_SUCCESS)
 
